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1. Abstract 

1^ ' Recently the AAGL (Anshel-Anshel-Goldfeld-Lemieux) has been proposed 

I which can be used for RFID tags. We give algorithms for the problem (we call 

• the MSCSPv) on which the security of the AAGL protocol is based upon. Hence 

OA I we give various attacks for general parameters on the recent AAGL protocol pro- 

^ ■ posed. One of our attack is a deterministic algorithm which has space complexity 

Q I and time complexity both at least exponential in the worst case. In a better case 

' using a probabilistic algorithm the time complexity can be 0{\X S S {u'^)]^^ n^~^^) 

and the space complexity can be 0{\XSS{u^)\^''), where the element u- is part 
of a public key, n is the index of braid group, XSS is a summit type set and e 
is a constant in a limit. The above shows the AAGL protocol is potentially not 
significantly more secure as using key agreement protocols based on the conju- 
Pm I gacy problem such as the AAG (Anshel-Anshel-Goldfeld) protocol because both 

■ protocols can be broken with complexity which do not significantly differ. We 

tyj I think our attacks can be improved. 
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2. Introduction 



l/^ i Recently the AAGL (Anshel-Anshel-Goldfeld-Lemieux) key agreement pro- 

I tocol using braid groups has been proposed [1] an application of the AAGL 

. protocol is for RFID tags [1]. There is an instantiation of the AAGL proto- 

col in [1] where the AAGL protocol uses braid groups, in all of this paper we 
. refer to the AAGL protocol when it uses braid groups. In this note we give 

an attack which can show the security of the protocol is based on the multiple 
I simultaneous conjugacy search problem (see definition 1 below). We think our 

I attack can be improved. Note once z is recovered with our attack then agreed 

. upon key can be computed with the linear algebraic attack given in [1] . All our 

algorithms can work in groups that arc not the braid group. 

] 2.1 Hard Problems in Non-abelian Groups. 

^ . Definition-The MSCSP (multiple simultaneous conjugacy search problem) 

[4] is find elements 5 G G such that yi = gxig^^, given the publicly known 
information: G is a group, x^, jji ^ G with Xi, yi = axia'^ , 1 < i < u, with the 
secret element a & G. 

Notation- We refer to an example of the MSCSP as {{xi,X2, a;„), {yi,y2, ■■■,yu)) 
with solution {g,g~^). 

Definition- Consider the following variant of the MSCSP. If {xi,X2, x^) is 
unknown in the MSCSP {{xi, X2, a;„), (yi, ?/2, •■■,?/«)) and we are then to find 
the elements g. We refer to the above variant of the MSCSP as the MSCSPv 
(MSCSP-variant). 

Notation- We refer an example of the MSCSPv as {{xi,X2, ...,Xu), (yi, 2/2, ■■■,yu)) 
with solution {g,g~^)- 
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Dcfinition-The CSP [4] can be defined as the MSCSP with u=l. 
Notation- We refer to an example of the CSP as {x, y) with solution (5, g~^). 
Notation-In this paper XSS refers a set that potentially contains one or 
more solutions for the MSCSP so XSS can refer to a summit type set such as 

sss. 

The security of the AAGL protocol is based on the MSCSPv-this is shown 

below. Our attack is an algorithm to solve the MSCSPv. The main purpose 
of this paper is using an algorithm of deterministic factorial time and space 
complexity or a probabilistic algorithm with time complexity 0{E{u'j)'n?) and 
space complexity 0{E{u'^)) {0{E{u^)) is of at least exponential complexity in 
the braid index n and its word length W of some braid, so E{u^) grows at most, 
like a power of the factorial of n, 0(n!^), in this paper we refer to 0(n!^) 
as the abbreviation factorial complexity), it is then to shown the security of 
the AAGL protocol is equivalent to solving the MSCSP (and hence the CSP) 
instead of the MSCSPv. 

Our result is better than all previous results in the connection: it works 
for general parameters, that there is only a brute force algorithm (which has 
factorial complexity) to solve the MSCSPv and our algorithms are better than 
the brute force algorithm. The above factorial complexity algorithm of ours 
may use any factorial time algorithm for the CSP, note the best algorithm to 
solve the CSP in general has in the worst case factorial running time. Hence 
this means the AAGL protocol is no more secure than using the AAG protocol 
[2] in the connections: 

• We show they are both protocols are based on the MSCSP (so the AAGL 
protocol is not strictly based on the MSCSPv as implied in [1]). 

• They can both be broken using related deterministic algorithms of factorial 
complexity that solve the MSCSP. 

• There are related probabilistic algorithms (including our probabilistic al- 
gorithm 4) that may break both protocols depending on the parameters used. 

3. AAGL Key Agreement Protocol 

In the recent [1] AAGL propose a key agreement protocol it differs mainly 
from the seminal AAG (Anshel-Anshel-Goldfeld) algebraic protocol given in [2] 
because it is based on the MSCSPv, the AAG protocol is based on a system of 
conjugacy equations (the MSCSP) [2]. We do not reproduce all details of the 
AAGL protocol which can be found in [1] but restrict to the details we require. 
Let Bn = {bi, 62, bn-i \ be the Artin representation of the braid group on n 
strings. In [1] an example of the protocol is given using braid groups the security 
is based on the TTP algorithm in [1] given below, e is the identity element in 
the braid group. 

Algorithm 1- TTP Algorithm of [1]. 

1. Choose two secret subset BL = {6;^ , 6;^ }, Bi? = {6^1 , fer,^} of the 
set of generators of Bn where — rj\ > 2 for &\\ I < i < la and 1 < j < rj^. 

2. chooses a secret element z G Bn- 

3. Choose words {wi, w^,} of bounded length from BL. 



2 



4. Choose words {vi, v^} of bounded length from BR. 

5. For 1 < i < 7 

a. calculate the left normal form zwiZ~^ and reduce the result modulo the 

square of the fimdamcntal braid. 

b. set w'^ equal to the sequence of integers that correspond to the element 
calculated in a. 

c. calculate the left normal form zViZ~^ and reduce the result modulo the 
square of the fundamental braid. 

d. set v'i equal to the sequence of integers that correspond to the element 

calculated in c. 

6. Publish the two sets {w'l, ...,w'^} and {v'l, ...,vi^}. 

The security of the TTP algorithm is based on the MSCSPv with the ele- 
ments {X1,X2, ■■■,Xu) = {Wl, ...,Wj,Vl, ...,Vj), 

(yi, 2/2, ?/u) = {w[, ...,w'^,v[, ...,vi^) and u = 2j. Assume the attacker 
knows this instance of the MSCSPv in Artin representation. 

3.1 Security of AAGL Protocol is Based on the 
Multiple Simultaneous Conjugacy Search Problem 

Notation-tt- e {w[, ...,wl^} U {v[, ...,v!y}, Ui G {wi, w~f} U {vi, ...,v~^}, ~ 
u, for some 1 < ?' < 27. 

Notation-S'u' is a set that contains elements of the form zkz~^ when the set 
is used in a deterministic algorithm. Su'. contains elements of the form zkz~^ 
with some probability when the set is used in a probabilistic algorithm. Where 
zkz~^Bxe elements in the centraliser of u-. 

Recall the centraliser of an element is the set of all elements that com- 
mute with it, for the infinite braid group the centraliser of an element will 
contain an infinite number of elements hence we approximate the centraliser 
with a finite set. Let A be a braid invariant, it is possible (but unlikely) for 
two different braids have the same value for A see [6]. Note there are prac- 
tical algorithms to compute the braid invariant A because the CDP (conju- 
gacy decision problem) is feasible in braid groups. Good bounds for summit 
type sets are not known but the SSS certainly has the upper bound n!'', where 
q = maxvi(minsup(M-) + maxinf(u^)),for example see [6], so all known algo- 
rithms for computing SSS are in the worst case have factorial complexity but it 
is conjectured that the size SSS is exponential in n. Because we use the upper 
bound n!'' our algorithm is of factorial complexity. It is known the quantity 
minsup(M-) + maxinf(«Q can be computed in polynomial time and space so q 
can be computed in polynomial time and space in n and the length of u'^ (ob- 
viously this means q can be computed in factorial space and time complexity). 
Refinements of Garside's algorithm for the CSP/CDP [8] (Garside's is the first 
algorithmic solution of CDP/CSP) to solve the CSP such as the solution given 
in [7] can be used to solve deterministically the CDP in worst case factorial 
time and space complexity. Elements of the form zkz~^ (where k commutes 
with Ui) may be found by computing the centraliser of u'^ (which any attacker 
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can compute) because zkz ^zuiZ ^ = zuiZ ^zkz ^ => zkz ^u^ = u'^zkz ^ so 
zkz~^ is in Su' ■ 

3.1.1 Attack Based on MSCSP 

The only known attack, given in [1] , without side information on the AAGL 

is a brute force attack the above Hncar algebraic attack is given in section 6 of 
[1] . We give a deterministic algorithm based on computing centralizers to solve 
the MSCSPv and our algorithm maybe uses algorithms that compute super 
summit sets. Our algorithm has factorial complexity some reasons arc because 
all known algorithms to compute the centralizer of an element are factorial 
complexity (in the worst case) /the best known algorithm to solve the CSP in 
general has factorial running time, which means computing ccntralisers and 
solving the CSP can take around the same time. Hence our algorithm is the 
best known way to attack the AAGL if suitable parameters can be found/and 
potentially its efficiency improved. 

Notation-C is an algorithm that computes S^r in factorial space and time 
complexity in a worst case. 

Algorithm 2 General deterministic algorithm for MSCSPv. 

1. Compute Su' for w' = zUiZ~^, Sy,' contains some or all elements of the 
form F = zkz~^ it follows choices for k includes all elements which commute 
with Ui etc., Su'. Q Sp- 

2. For an element u'^ in 5„' find k then solve the CSP with {k,zkz~^) for 
{z, z^^). We find k as follows. 

2i. Select a function fp which parametrizes in P a finite approximation to 
the centralizer 

2ii. Select a function which parametrizes in Lp a finite approximation to 
words in G. We define by the set Ulp as containing all words defined by Lp. 

3i. Set Lp = Lq. P = Pq. Lp may depend on P. Compute if necessary 
Su'. = fp- 

3ii. Update value P as, P G p^. Initialise I = Iq. 

3iii. Select S'^, C S'„/ . compute if necessary Su'. = fp- S'^, may 
depend on Lp. Using a chosen algorithm, find a (CSP) pair (6, a) such that 

where U'^^ C Ulp ■ The pair (6, a) is stored. 

3iv. If the values of P have been exhausted from the set py then goto step 

4. 

3v. Update value of / as / G i^, if the values of / have been exhausted from 
the set iu then goto step 3ii. 

3vi. Update Lp as Lp = Lpj. If the values oi Lp have not been exhausted 
goto step 3iii. 

4. Solve the MSCSP for all the pairs (6, a). Terminate algorithm. 
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We now give an example of algorithm 2 which is also a general algorithm 
(note P is redundant in this example for the reason given in the proof below) 
of the above algorithm where G may be B„ or any Garside group. 

Algxjrit lull 3 An (bxaiiiijk; of algorit hm 2. 

1. Compute Su' for = zuiZ~^, Su'. contains some or all elements of the 
form F = zkz^^ hence for choices of k includes all elements in BR or BL 
depending if u- = or u^ = w'^. 

A second possible choice is to compute Su' represented by a generating set 
of the centraliser of u'^ such as using the algorithm in [9] . 

2. Find k then solve the CSP with (k,zkz~^) for {z,z~^). We find k as 
follows. 

2i. Select a function which parametrizes in P a finite approximation to the 
centralizer zuiZ~^ . We choose to the function F^i p(Po,a) which computes 
the set which contains all braids F e Sp in the centralizer of u[ such that 
=^ F =^ A^+i, for VP, Po < P < a, which is A^" ^ P ^ A". Sp here 
contains at least one element in the centraliser of u\ if using C as described in 
the proof below. 

2ii. We define the set (we construct) Ulp as Ulp C P+\e to contain all 
distinct words in Artin of length Lp with the length is in the number of Artin 
generators. Or a second possible choice for Upp may contain some or all of the 
union of the centralisers of short words in Artin generators, so for example, to 
compute k is to (where k may be long) choose it from the generating set of the 
centraliser of the single Artin generators di say using the algorithm in [9], the 
above approach can be used when k not one Artin generator. 

3i. Set Lp = 1. Po = -2g,. P = Pq. Let = P„'_p(Po,a). 

3ii. P = P + 1. / = 1. 

3iii. We test the relation using an algorithm for the CDP (an alternative 
step instead of this step is described in the proof below) 

A(a) = A(6), ae5;,,^^,6e[/i, 

where S'^, C Su'. ,and U'^^ ^ Upp, The pair (6, a) are found with a linear 
search. If the above relation is true then let k = b. The pair (6, a) is stored. 

3iv. If P > Po + 1 then goto step 4. 

3v. 1 = 1 + 1. Lpj=L 

3vi. Lp = Lpj. If Lp > f{u!j) then goto step 3ii. Where /(u-) may depend 
on u ■ . 

4. Solve the MSCSP for all the pairs (6, o) using a deterministic algorithm. 
Terminate algorithm. 

As would be expected, for poorly chosen parameters our algorithm may not 
be more efficient than a brute force attack. A potential variant is to check if 
a short word in length of Artin generators is not conjugated by z an attacker 
can compute then length for a given length function the average (or an upper 
bound) length of u'^ and if a word u- is significantly larger than the average 
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length (or an upper bound) of u[ it is considered not a potential value for a, so 
here S'^, depends on Lp. Other potential variants (which wc discuss below) 

is some subset Sp in the bounds for F such that =4 F =4 (so here P may 
have a larger range), for some integer S, and not restrict b to positive words. 
The parameters P,Lp control the lengths of a and b. We now show for suitable 
parameters our attack will terminate with a solution for the MSCSPv used in 
the AAGL protocol. 

Proposition 1 

Solving the MSCSPv as used in tlu^ AAGL protocol is equivalent to solving 
MSCSP (which can be shown in deterministic factorial time) using algorithm 
3 twice and possibly using algorithm C, with the parameters Pq = —'^9z, ct = 
2gz + L„i, ,f{u'^) < O( iog"„) ) where Lm = maxypi/p. As is shown in the proof 
Lm = 1 is sufficient. This requires in the worst case, space complexity 

0{ci\SSS{u'i)\ + C2\SSS{b)\ + {n- if^^'^) 

and time complexity 

0{\SSS{b)\\SSS{u'i)\{n - if^^^) 

. Where the element u • is part of the TTP's public key and b G Sy> U S^' . 
Proof 

We use algorithm that computes summit type sets we call XSS we analyze 
the cases for XSS, SSS and C both in the proof below. 

• Case using C and SSS. 

We use an algorithm C such that it computes A^" =^ -F =^ A" for all P used. 
For C we use an existing algorithm for the centraliser or the CSP. infss(u^) means 
elements of the SS which have maximum infinimum of the conjugacy class of 
u'^. For example we use the algorithm to compute the SS [8] to solve the CSP 
{u'i, u'i) then it follows for VP e Sp, 4 F ^ A^o+i where Pq = mf,^{u'i) and 
the SS can be computed in worst case factorial complexity, so P is redundant 
in this case, but here inf(zfcz^^) = infss(u^) must be true for the algorithm to 
find a solution. Another choice for Su' involves computing all braids F, 

A^" 4F ^ A" (1) 

then it would follows from the analysis and the bound on the number of braids 
in canonical factors and the braid index [3] our algorithm would be of factorial 
complexity but this choice of parameters for the algorithm results in complexity 
similar to a brute force algorithm. The above method using 1 can be potentially 
improved for example if k (described below) is short length, then depending on 
the method of rewriting elements, F is expected of short length hence the value 
of a can be lowered. 

In the following analysis we assume the algorithm C is used to compute F e 
Su',, with F in the bounds given by 1, for all P used or the choice for computing 
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Su'. above or we assume our analysis below we use the SSS based algorithm 
of [7] which has worst case factorial time and factorial space complexity. If C 
computes Su' contains at least one element of the form zkz~^ is used then our 

i 

algorithm always terminates with a solution using the bounds for Po,a derived 
below. 

We prove below that computing Ulp has worst case factorial time and fac- 
torial space complexity. Note if it is true at least for a class of braids for a value 
of XSS that IXS'S'I is exponential in n in the proof below then the algorithm 
works in worst case exponential time (hence the term appears below). 

Prom [1] any attacker can compute the smallest Qz from 

ln(2n - 2) 
ln(2) 

where Qz is the length of z in it Artin generators and we assume the smallest 
Qz is used. If the above assumption turns out to be false then the attacker may 
estimate gz from the elements u-, gz can be feasibly computed otherwise the 
public keys are too long in Artin generators to use. 

We use the easy theorem 1.5 given in [7] which is if B is any braid word 
represented in N negative Artin generators P positive Artin generators and then 
4 B 4 A^. Consider then for any b G Ulp, and z then AS' ^ z 4 A3-,e 
4b 4 A^f , hence 

=<; zbz-'^ 4 /\,2a^+Lp 

hence if we let Pq = —2gz, a = 2gz + Lp < 2gz + from the above bound on 
zbz~^ then it must be true that the centraliser of contains elements of the 
form zkz~^ where k is an element in BL or BR. 

Note \Sf \ by assumption is of factorial complexity in the parameters 2gz+Lp, 
n and contains zkz^^ for values of k. 

This is true because we know from the condition \li — rj\>2 \i follows that 
BL and BR do not have any generator in common. 

Now the attackc;r runs the algorithm 3 twice in parallel so that u'^ = v[ or u\ = 
Wj in each the runs but the attacker may compute the common computations 
(such as computing Ulp) once in each of the runs. Hence for L = 1 one of the 
choices of b (selected by the attacker) is one of the Artin generators of BR 
must be a correct choice, generally this means for k there are la + Vfj easy to 
guess when it is of feasibly computable length from the parameters suggested 
in [1]. Such easy choices for k exist because the TTP algorithm specifies the 
subgroup in terms of single Artin generators. The attacker using linear search 
algorithm, through 5„j U for zkz~^ and using the CDF with b a word in a 
single Artin generator of up length n in step 3iii finds the CSP pair {b.zhz^'^) 
to solve which must exist by construction. An option at step Siii is to solve the 
CDP in deterministic factorial time using the algorithm in [7] . 

We estimate \Ulp \ with the upper bound Sn,Lp = (n— 1)^^ hence 5„^o(5— ^) 
is at worst an exponential function. Hence computing all distinct words (which 
are not optimally bounded above exponentially by Sn,Lp) of length 9 = Q( ioJ(„) ) 
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from U'j^ will mean the attacker is guaranteed to find all the words (there are 
an exponential amount of these and if = 0(log(n)) they are a polynomial 
long) in BL, BR of length 9 in S^/ U S^', . 

Hence the attacker can take 1 < Lp < 0( j^^"^-^ ), as this keeps the complexity 
exponential so the attacker selects Lp up to 0{ iog"„) ) (actually the attacker can 
select any 9 such that the complexity of the algorithm is factorial in the worst 
case). To get more conjugacy equations the attacker can try for b all words 
of length Oij^ij^^^) but as expected the longer the word length of b is the less 
chance (as described below) that a CSP pair will be found but for short word 
length of b there is a non-negligible probability that the attacker can guess a 
correct b. We show below that 1 < L < O(logn) can be chosen. 

In the following = Q( iog"„) )- Let ci, C2..., Ai, A2, ... £ 3i, we assume 
we may approximate Su' and centraliser computations by 0{\X SS{u'j^)\) this 
assumption is based on the fact that in some cases, e.g. XSS ~ SSS, it is known 
algorithms to computing the centraliser of u'^ are proportional in space and time 
complexity to \XSS{u'^)\. \Su'\ and hence any centraliser is at most of space 
factorial complexity using (2.1) above. SSS{u'^) is the super summit set of the 
element u^ the size of these sets are not fully known it is known that \SSS\ to be 
at least exponential in n, for a fixed n is proportional to (n!)', we write 555(u-) 
for the maximum size of SSS{u'j) where q = maxyi minsup('u9 + max ml (u'^^). 
Observe 0((n!)«) is of smaller order than 0(e9"i°s(")) we use a similar notation 
for X55«). 

If we use an algorithm that stores at least all the elements in Sy{ U S*^' 
and stores all elements in Ulp, uses an deterministic algorithm to solve botA 
the MSCSP (the number of equations v in the MSCSP may be constant) and 
CDF that uses exponential space, then the space complexity of the algorithm 
is factorial in the worst case it is 

0(ci£:«)+c2i;(&)+C3(n-l)«) 
= 0{c4\SSS{u'^)\ + cr,\SSS{b)\ + {n- if^Tsirrj)) 

where the constant uj depends on the hmction used for 0{ jpg"„-) )■ 

Note the space and time complexity of solving the MSCSP is proportional 

to i'\SSS{b)\ if the MSCSP solved by intersections of elements of summit sets. 
We write 0(|S'S'5(5)|) « 0{E{b)) = C'(e92niog(«)) ^^ic maximum size of 

SSS{b) which is determined by q2 = max^gj/^ minsup(6) + maxinf(5), so q2 is 

the canonical length of b. 

We use this result at step 3iii in the CDP. Computing Syi U S^j', , the linear 

searches through Sy'. U S^,'. for each element of U Lp and solving the CDP for 

every potential pair at 3iii, and then solving the resulting MSCSP means in the 
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worst case the time complexity is factorial and it is 

0{c^E{ur)+c2E{u\)E{h){n-l)') 

« 0{E{b)E{u[){n - if'^^'^) 

= 0{E{b)E{u'^cj") = 0{\SSSmSSS{u'^\u^) 
« 0((we(«+«=)'°8(»))»-) 

It is understood the constants ci,C2... arc different from the constants ci,C2... 
used in the notation of the space complexity and other complexity computations 
below. Now consider a variant of the above attack, which is not use an algorithm 
for the CDP in step 3iii but instead solves the CSP with the guess for b with 
every possible element in S'^, and recovers z and hence the shared secret 
using the algorithm in [1] , the attacker may test if z is the correct solution: for 
example, z is used in an impersonation attack or if (using an algorithm for the 
CDP) z~^u'^z ~ For the variant attack above the worst case space and time 
complexity are the same. 

•XSS Case. 

In the more general case of XSS we can use any algorithm we refer to as 
S that and outputs for a conjugate pair (&, a) or potential pair (6, a) using the 
sets Syi, , Syji, , U'j^^ , let S^y, , S^y. be the time complexity and space complexity 
respectively to compute Su', we refer to the time complexity and space com- 
plexity to solve the CDP as CDPt, CDPs, we refer to an algorithm for CDP 
with input b, a as CDP{b, a) similar notation for MSCSP. Note it is assumed 
the CDP and MSCSP can be solved in worst case time complexity and space 
complexity proportional to |XS'S'|, this is true for example when XSS = SSS 
and the assumption is based on this example. By a similar argument to the 
SSS a time complexity bound in the worst case is, 

0{St +St^' + max CDPASiS^^ U 5^/ , 6)) + MSCSPt) 

« 0{ci\XSS{u'i)\^' +C2\XSS{b)\) 
A bound for the space complexity in worst case is 

0{S^y + S^y +U',L + MSCSPs + max max CDPs{b, a)) 

« 0{ci\XSS{v!,)\^-^ + c2\SSS{h)\ + cz\U'l,\). 

Now consider a variant of the above attack, which is not use an algorithm for 
the CDP in step 3iii but instead solves the CSP with the guess for b with every 
possible element in S'^, and recovers z and hence the shared secret using the 
algorithm in [1], the attacker may test if z is the correct solution: for example, 
z is used in an impersonation attack or if z~^u^z u^. 

Note it may be that b G S'^, (which can be verified using a polynomial 
time word algorithm in B„), in this case z must be in the centraliser of b, call 
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the set of all such stored 6, and so z can be found by testing every element 
(for the choice of z) of the centraliser of a subset of Bz for the correct element. 

If Su' is computed using the second choice in step 1 and the corresponding 
value of k is found using the second choice in step 2ii then because it is known 
the centraliser of every element in Bn can be generated by 0{n^) generators 
hence the MSCSPv can be solved feasibly depending on \SSS\ [9]. 

Algoritliui 4- Prol)al)ilistic algoritlini for AISCSPv. 

1. Compute Su' a suitably small Su'^s of w- = zuiZ~^ that may contain 
elements of the form F = zkz~^ hence for choices of k includes all elements in 
BR or BL depending if u'^ = v'^ or u- = w-. One possible simple choice at this 
step is to compute Su' as randomly chosen elements of the centraliser of u-. 

2. Find k then solve the CSP with {k,zkz~^) for {z,z~^). We find k as 
follows. 

2i. Select a function which parametrizes in P a suitably small finite approx- 
imation to the centrahzer zUiZ~^. We choose the function F^' p{PQ,a) which 
computes the set which contains a subset of the braids F G Sp and if possible 
maybe using heuristic method(s) gives F where k is short (in a given length 
function) with high probability. 

2ii. We define the set we can feasibly compute U^p as U^p C B^ of short 
words in length Lp for some length function. 

3i. Set Lp = 1. Po = -25.- P = Po- Let = p(Po,a). 

3ii. P = P + 1. J= 1. 

3iii. We test the relation using an efficient algorithm to solve the CDP such 
as the one in [6] 

X{a) = X{b), aeS'u,^L^,bGU'L^ 

where S'^, C Su'. ,and [/^^ C Ulp- If the above relation is true then let 
k = b. The pair (6, a) is stored. When enough pairs have been computed goto 
step 4. 

3iv. 1 = 1+1. 

3v. Lp j = I. 

3vi. Lp = Lp j. If P > Pq then terminate then goto 4. If Lp > /(w^) then 
goto step 3ii. Where /(u-) may depend on u'^ we can take it to be on feasibly 
computable words up to Q( iog"„) )- 

4. Solve the MSCSP for all the pairs {b, a) using an algorithm that works 
with high probability. Terminate algorithm. 

Proposition 2 

Solving the MSCSPv can be done with the probabilistic algorithm 4, in ap- 
proximately, time 0{\XSS{u'i)\^^Lj''') and space 0{c3\X SS{u'^)\^^ +ciw"), and 
with additional reasonable assumptions this can be improved to time 0{\X SS{u'j)\^^n^~^'^) 
and space 0{\XSSiu'i)\^<') using algorithms to solve the MSCSP, CDP effi- 
ciently, where the element u'^ is part of the TTP's public key, XSS is a summit 
type set and the constant oj depends on n. 
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Proof 



The following easy computations involved in computing the complexity in 
the better case: a randomly chosen generator has probability Pa = ;^Z2 ^^"^ 
pp = of being in BL and BR respectively, then an attacker can selects 
a random word b from U'j^^ using in length of 9 Artin generators then it has 
Pa. 0.9 ~ ^ ^ probability of being in BL or BR. From the algorithm used 

to compute S'„' (which computes words less than a certain bound) we do not 
have to pick 6 too large there exist some k of short length in Artin generators. 
Choosing 9 < n as this keeps the algorithm in factorial complexity but this is not 
a good choice, from the above discussion the attacker can take 9 = Q( iog"„) )- 
Observe the attacker must on average compute 

Wp-\g\< fV^^^. (2) 

ya,0,e min(/„,r/3)^ ^ ' 

before expecting W words to be found in 5*^,/ U S'^/ . The attacker may estimate 
PaiPfj if the attacker assumes ^q,, r^, n are not independent of each other, 
for example Z„ « r/j and assumes all (then Poc,i3,i = 1 for the selection of h 
used in both runs) or nearly all possible Artin generators are used in BL, BR so 
Pa ~ P/3- Hence (independent of large enough n), the attacker needs to compute 
approximately as few as 2^ distinct words for the parameters suggested in [1] 
to ensure on average a reduction to the MSCSP with at least 2 equations. We 
would need to select only approximately 4 distinct random words of length 3 
from i7^p before the attacker expects to get one conjugacy equation or the CSP, 
the example above use little memory and potentially little computing power. 

In this better case we use an efficient algorithm for the CDP such as the one 
given in [6], use a linear search, and use an algorithm for the MSCSP that works 
with high probability. We assume in all of this second proof, the length of h is 
less than Uj, this means in general 0{\SSS{uj)\) is greater than 0{\SSS{b)\). 

We assume in this proof there is an algorithm that can compute Su'. pro- 
portional in space and time complexity to jXS'S'l, this assumption is based on 
the fact that such an algorithm exists when XSS = SSS see [9] , and that this 
algorithm has worst time space and time exponential complexity. From the de- 
scription above (from VFp~ « „ ■. < 0(n'^*-i°«(")'')), the time complexity 

in this better case is 0(|X55(uJ.)|^-^a;") as shown below. We assume we use an 
algorithm for the CDP which has time and space proportional to such as 

Garside's algorithm [8]. Here CDPt is the average time taken to solve the CDP 
over all pairs (6, a). Then by a similar argument to above the time complexity 
is 

0{Sty^ + St,^, + CDPt{\{S,,)\ + \S^, Dw" + MSCSPt) 
« 0(£;«)0(n°^isife))) 
= 0(|X55(4)|^3^n) 
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also the space complexity is 

0(Ss y' +Ssyj' + ciw" + max max CDPJb, a) + MSCSPs) 

= 0(c2£;K) + 0(n°(i^^)) 

where the constant uj depends on the function used for Q( iog"„) )■ 
•Better Complexity Bounds 

The above analysis for the better case is may not be optimal, for example if 
we make some assumptions then we get a tighter bound on the complexities as 
follows. For this case it the average complexities for algorithm for the CDP,CSP 
and MSCSP are considered. From the from 2 and if we assume la, are linear 
in n and 9 = 0(log(n)), we assume we have an efficient algorithm for the 
CDP which has average linear complexity possibly the one given in [5], this 
assumption is based on the result that empirically for randomly chosen long 
random braids which have simple elements randomly chosen the \USS\ is on 
average likely to be linear in the word length and independent of the braid 
index n e.g. see [5], and use an algorithm for the MSCSP that works with high 
probability. Hence the CDP/CSP in this average case can be solved in linear 
space and time complexity. The time complexity in this better case can be with 
high probability be (recall computing 5*^'. that in proportional in space an time 
complexity to |XS'S'|) 

0{ciE{u'i)Q^'-^°^"'^0{n)) « 0{E{u'i)n^+') 

= 0{\XSS{u'i)\^'n^+') 

for some i3G 3? which depends on 2. The space complexity in this better case is 

0(cii?K) + fi°('°s") + + 
« 0{ciE{u'i) + C2n') « 0{\XSS{u'i)\^<^) 

using straightforward algebra it can be shown e can be close to a constant as n 
is larger and depends on fi and the constants in O(logn), if Q is bounded then 
e is bounded. 

Note the space can be up to exponential size (so giving a better space bound 
here) the only requirement is the set Su>. must be of at least size greater than 
one as it must contain at least one element with some feasible computable k. 

The above shows using the AAGL protocol can potentially be as secure 
than using CSP based protocols such as the AAG protocol [2] as both can be 
broken with attacks of the same or similar complexity depending on the values 
A5, Ag and e, by similar we mean our instantiations of our attack can differ by 
a factor of a polynomial in n from attacks such as on the AAG protocol, for 
example the time complexities of attack differ by a factor of n^+' . If the attacker 
decides to compute 5„< as randomly elements chosen elements of the centraliser 
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of u[ then the success of this attack in this case depends on the probabihty 
of Su'. containing elements of the form zkz~^ . InformaUy, or attack consists 
of computing subset of centralisers and extracting suitable elements from the 
centralisers: we refer to our attack as a two central element attack. 

Now consider a variant of the above attack, which is not use an algorithm for 
the CDP in step 3iii but instead solves the CSP with the guess for h with every 
possible element in S'^, and recovers z and hence the shared secret using the 
algorithm in [1], the attacker may test if z is the correct solution: for example, 
z is used in an impersonation attack or if z~^u^z ~ u[. 

Note it may be that b G S'^, (which may be verified using a polynomial 
time word algorithm in in this case z must be in the centraliser of b, call 
the set of all such stored 6, bz and so z can be found by testing every element 
of the centraliser of a subset of bz for the correct element. 

Observe if the attacker assumes his guess of the generators of BL ,BR are 
correct (or manages know these subgroups in a different way) the attacker can 
compute randomly chosen words computable in polynomial time in BL, BR and 
in up to factorial time (in approximately the time taken to solve the CDP) find 
a system of conjugacy equation / reduce the security of the AAGL protocol to 
the MSCSP so this is another reason why the users should keep the subgroups 
BL,BR secret. For general BR and BL the algorithm has to be modified to 
use the publicly known information about their structures. The complexity of 
the algorithm is mainly determined by computing Sy', , S^jr which may contain 
portions of the centralisers, so we can estimate this to be approximately the 
same time and space complexity of computing the SSS of an element so in 
general it is exponential, also the size of the sets S'^, and U'j^^ affect the 
complexity of the example algorithm in this connection Oi 

^1 = E E \SkLpJ + \U'LpJ + \Pv\\iv\ 

P, VPep^ I, VlGi^ 

P=Po 1=1 

will make the example algorithm can be used as a parameter to measure the 
efRciency of algorithm 3, minimising Oi will make the algorithm more efficient. 
Generally in our probabilistic algorithm we could use an heuristic optimization 
algorithm instead of a linear search if we do this then we suggest trying the dif- 
ferential evolution algorithm because it is known to be fairly fast and reasonably 
robust [12]. The components of the vectors used in the differential evolution al- 
gorithm depending on L and Lp the differential evolution means in general the 
components of the trial vector will not increase linearly so this means in steps 
3ii, 3iv will not be increased linearly as is done in the probabilistic algorithm. 

Algorithm-5 To Recover BL and BR. 

With a little more work we give an attack that recovers the secret subgroups 
BL and BR. Any attacker can compute for i,j for sufficiently many i and j 



13 



using the attack above (to recover z) u,, wj the attacker checks for the generator 
br, 1 < r < n if 



If 3 is true then br is a generator of BR similarly if 4 is true then br is a generator 



Algorithm 6- To modify our attack to solve the general MSCSPv. 

1. For the MSCSPv {{vi,V2, ■■■,Vu), {v[,V2, ■■■,v'^)) compute a suitable finite 
approximation Z of the centralisers of the set of elements {v[,v'2, ■■■,v'^)- 

2. Find elements in Z such that the elements are conjugated by g (wc refer to 
such elements as the system of conjugacy equations ( {wi , W2 , . . . , w^) , {w[ , w'2 , ...,w 
such that the sets (wi, ^2, (wi, W2, w„) are commuting. 

3. Solve the MSCSPv using a version of algorithm 2 with the pair of MSCSPv 

{{vi,V2, ...,Vu), (v[,v'2, (iwi,W2, W„), (w^, W^, ■■■,w'J). 

Here Vi, Wi arc chosen from the subgroups Bl and Bn respectively. Note if 
the structure of Bl and Br is known then this may be used in our determin- 
istic algorithm. Combinations of ccntraliscr elements and their inverses of the 
conjugated generators may be computed to attempt to construct shorter words 
k. In an example of the above algorithm it may feasible to compute one or more 
of the elements vi,V2, ...jWm possibly using the relation \{v[) = X{vi) where Vi 
is the guess for Vi, and hence reducing to the MSCSP there. 

3.2 Defending Against Attacks 

The attacks may be avoided if 

1) Ensure if possible that elements of the centralisers of u- are hard with the 
CSP {k,zkz-^). 

2) Ensure if possible that elements of the centralisers of the form zkz~^ of 
u'^ , that the element k cannot be feasibly computed. 

3) To maximize the value Oi, with the constraint of making MSCSPv as 
difficult as possible for the attacker. 

4) The TTP algorithm may be modified with different choices for BL, BR so 
that larger generators are used with the constraint of the computing platform. 

5) The security of the AAGL protocol is based on the complexity of algorithm 
C not being efficient and C may be based on the following problem which is 
problem 1 given in [10], 

given gi, ...,gk G G compute C{gi, ...,gk) 

here {gi,...,gk) = {u[,...,u'^) and C{gi,...,gk) = C{gi)r\C{g2) D ...C{gk). 

4. Potential Length Based Algorithm for MSCSPv 

We show that modified a known basic length attack for example see [11] can 
be used to for the general MSCSPv and then any algorithm can be used to solve 



Wibr 
Vjbr 



= brWi for all i 
= brVj for all j. 



(3) 
(4) 



of BL. 
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the MSCSP such as a known length attack such as [11]. We refer to our length 
based MSCSP algorithm the length-MSCSPv algorithm. Suppose we are given 
an example of the MSCSPv. 

Compute the centralizer of zwiZ~^ or a portion of this set we call S^i, then 
S^', contains all elements of the form F = zkz^^ it follows choices for k includes 
all elements in for a suitable approximation of the centraliser. Hence the 
generators we peel from F in our length attack are the generators of the ccn- 
tralisers of w'^. For example in one of the generators of the centraliser of the 
element <j\(j2<Ji is cr\<J2<Ji(Ji<J2^<Ji^ and the above generator is of length 10. 

Algorithm 7-Length-MSCSPv. 

Run step 1 and 2 of algorithm 6 for step 3 use the algorithm below instead 
of a version of algorithm 2. 
Compute 

r- = zriZ~^ ztiZ~^ zrl^ = znUr'^z'^ 

where the words Vi and U are a word in the generators Wi. Note an element of 
the form zriZ~^ may be used instead for r^. 

1. Select a length function Construct r- as a word in the generators for 
some 1 < i < riy,. A is set to the identity element. Set the iteration n to zero. 
Computes a subset Cr of the generator set of the intersection of the centraliscrs 
generator sets, Cr ^ ( C{v[)ri ...Ci C{v'^J), ttc = 1 is sufficient, we may also try 
and compute the length of the generators of Cr with suitably long generators. 

2. Select suitable elements s„ € Cr- If 

r{'r'i,-,r'a^,s„) ^ r{r[, ...,r'^^,e) 

where ^ is a linear ordering (or an objective function) on a vector of real numbers 
[11] and each clement of the tuple r{r[, ...,r!^^, Sn) except the last is given by 
the corresponding number ?(s~^r^s„). 

3. Update the word A as 

An+l = A^Sn- 

The algorithm stops at this part when depending on r{r'i, ...,r!i^^, Sn) and the 
stopping criteria (there can be more than one stopping criteria) then goes to 
step 6. The algorithm stops with some probability p with A = zfi = fi and 
this braid is stored, where fi — ViCi for some Cj G G, in other words A is the 
product of z and a partial factor of r, we call f,. 

4. Update the element r- as 

5. n = n + 1. Goto 2. 

6. Repeat steps 1 to5 a^^ times (obviously with a different choice(s) elements 
1 < i < and maybe a different choice for the integer a^). 

7. Steps 1 to 6 are repeated again a„ times but with v'^ in place of and 
in place of v'^ using a system of n„ equations. 
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8. We now have stored two sets we refer to as BV and BW. 

{ziui,ziB2...,ziUa^} = {Wl, ...,'Wa„} = BW 

{zVi,ZV2...,ZVaJ = {vi,...,VaJ = BV 

9. If follows from the MSCSPv example that W/Uj = ViiDj for any I or J. The 
attacker picks I and J and computes 

Ml = vj^wj = vY^z~^ziBj = wjvj^ and Y = wjvj^ = zwjvY^z~^ 

hence the attacker can solves the CSP {Mi,Y) for {z,z~^). Similarly 

M2 = VlWj^ = VlZ~^ZWj^ = wj^vi 

the CSP an solves the CSP {M2,Y~^) for {z,z~^). Repeating the above for 
similar computations for different /, J builds up a system of conjugacy equations 
hence this reduces the MSCSPv to the MSCSP. 

The algorithm is a modification of known length attack because we use 
the generators of the whole conjugated word zr^z"^ and not just as usual the 
generators of z, conjugated element with a partial factor of is recovered and 
intermediate partial factors involving the secret are recovered and used not as 
usual the secret element. 

A simple stopping criteria is for some C 

r{ti,...,ta^,e) <C < r{r[,...,r'^^,e) 

stop when 

r{r'i,Sn) < C 

and r{ti,..., ta^ , e) is to be estimated by the attacker using the value of L given 
in [1]. 

At step 3 we could solve the equation zvi for z which may be easier than 
solving the MSCSP instead and so we do not need to run all the steps, to be 

precise the algorithm is. 

Algorithm 8 Length-MSCSPv. 

Run step 1 and 2 of algorithm 6 for step 3 use the algorithm below instead 
of a version of algorithm 2. 
Compute 

r- = zriZ~^ ztiZ~^ zr'-^ z'-^ = zriUr^^z'^ 

where the words and ti are a word in the generators Wj. Note an element of 
the form zriZ~^ may be used instead for r^. 

1. Select a length function I. Construct as a word in the generators w'^ for 
some 1 < i < n^. ^ is set to the identity element. Set the iteration n to zero. 
Computes a subset Cr of the generator set of the intersection of the centralisers 
generator sets, Cr Q ( C{v[) Ci ... fl C{v'g_J), ac = 1 is sufficient, we may also try 
and compute the length of the generators of Cr with suitably long generators. 
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2. Select suitable elements Sn &Cr- If 

'r{r[,-,r'a„,Sn) < r{r[, ...,r'^^,e) 

where ^ is a linear ordering (or an objective function) on a vector of real numbers 
[11] and each clement of the tuple r(r'^, ...,r^^,s„) except the last is given by 
the corresponding number i(s~^r-s„). 

3. Update the word A as 

^71+1 = AnSji- 

The algorithm stops at this part when depending on r{r'i, ...,r^^,s„) and the 

stopping criteria (there can be more than one stopping criteria) then goes to 
step 6. The algorithm stops with some probability P2 with A = zfi = fj and 
this braid is stored, where fj = r,Ci for some Cj e G, in other words A is the 
product of z and a partial factor of r, we call f,. 

4. Update the element r- as 

5. n = n + 1. Goto 2. 

6. Repeat steps 1 to 5 Ot„ times (obviously with a different choice(s) elements 
Tj' I < i < ciw and maybe a different choice for the integer nii,). 

7. Steps 1 to 6 may be repeated again ay times but with v'^ in place of w'^ 
and in place of v'^ using a system of riy equations. 

8. We now have stored one set or two sets we refer to as BV and BW. 

{ziUi,ZlB2...,ZWa^} = {'Wi,...,Wa„} = BW 
{zVi,ZV2...,ZVa^} = {vi,...,Va^} = BV 

Using another algorithm we use the elements in BW or BV and solve for z one 
of the simplest choices at this step is given an element of BW or BV find Wi or 
Vi by brute force and hence compute z by using a right multiplication. 

5. Attack Using Conjugacy Extractor Functions 
5.1 First Attack using CE Functions 

In the TTP algorithm above given in [1] step 2 is "chooses a secret element 
z G Bn' a, user could implement this step 2 as z is chosen from a publicly known 
subgroup of Bn we show that this implementation means a CE (conjugacy 
extraction) function [13] can be given. It is not given in [1] to not pick z from 
a publicly known subgroup. The attack is as follows. 

1. Let z € R where R = {ai, ak} is a pubhcly known subgroup of Bn- In 
this step it is required the attacker just needs to find one element that commutes 
with z and not with all possible choices of Ui (using a chosen algorithm by the 
attacker) to show the AAGL protocol is based on the MSCSP one way to find 
such elements is as follows. The attacker picks a subgroup of R given by the 
generators gi, ...,gk- Then the attacker computes all of or a large part of 

S = C{ai,...,ak) = C{ai)n...C{ak). 
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2.Then 



CE{Si,u'i) = u'iSiu'r^ = zuiZ-'^Sizur^z-'^ = zuiSiur^z''^, 

will be true if Sj does not commute with Ui. Sj £ S, 1 < I < M. The the 
protocol can be based on the MSCSP with 

{{Si,S2,...,SM),{CE{Si,vf;),CEiS2,u'^,...,CE{Su,u'^)) with solution {0,0-^), o = zm. 

and z can be found by computing {o~^u^)~^ — z. 

As a variant of the above algorithm an attacker may try to compute an 
element Sj G C(uj) then it may be possible to use Sj instead of Si in the 
attack above where Uj ^ u^, so in this variant knowledge of z being chosen from 
a subgroup is not required. 

5.2 Second Attack using CE Fmictions 

This attack reveals partial information about the secret z. 

1. The attacker picks elements Vi according to some criteria for example 
elements Vi may be picked randomly or Vj may be composed of a few Artin 
generators as these may commute to some degree with z. 

2. Then for 1 < I < M for a sequence of integers T/ 

CEj{Si,u'rpj) = u'j-jSju'-f^^ = zutiZ~^Sizu^^z~^ = zutiZ~^ Sjzu^^ z~^ 
where ^ is a partial factor of z with probability for some I this means z = 

ZTiZTi ■ 

3. We solve for each / the CSP {Sj, zuti'z~^) and hence compute ztj = 

{{zUTjZ~'^)~^ ZUTjZ~'^)~'^ 

4. We now and find z using the information (Sj , zu^^z, ztj ) and the other 
information used in the protocol. One of the simplest choices to implement this 
step is trying to find zn for each / by brute force. 

A variant of the above attack is after ztj is recovered is to repeat at the 
attack (at least once) by iterating with z^\i'rp^zT, instead of u'rp^ (and obviously 
all other values may be different) so in this way we may be able to find a bigger 
factor of 2;. It may be true some probability that z contains a partial factor 
of utj which means the CSP is solved to give ItiUTj where uti is some partial 
factor of uti ■ Then the simplest choice at this step to recover z is to find utj 
by brute force and use to recover z. Note this attack is easily modified to 
solve the decompostion problem which means using a product of three elements 
instead of . 

Again another conjugacy extractor (see [13]) (i.e. this will show the AAGL 

protocol is based on the MSCSP again). The user may try computations of the 
form (following the notation of [1]) ApublicaA^f,^^^, A^^,^^^/3ApMic, B public! B^^^^^, B J B public 
where A, B, C, D are chosen from a & B,/3 G Nb, "f G A,6 G Na ■ The infor- 
mation recovered from the MSCSP above may be used in attack such as for 
example the following attack. Then once an element of the form may be found 
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z-k (xai_^ (t), Sa;^ )*...) ★ {xa^^ (t) , Sa^^ ) -k thcn an clcmcnt such as (ria, id) may 
be found and so the shared secret can be computed. We will give further details 
of this attack. To resist the above attack the public elements should be chosen 
so that they do not have an inverse. 

6. An algorithm for the MSCSP 

Consider the MSCSP ((xi, 2:2, Xu), (j/i, t/2, with solution {g,g~^). 

Suppose Xi € A, g G B, with A = (oi, 02, um) , B = {bi, 62, bisi) Compute 
a large part of all of the centraliser 

D = C{b,,...,bN)^cib,)n...c{bN). 

The we can compute the CE functions 

CEk{dk,yi) = Vidy^'^ = gxidux^^ g~'^ . 

This means wc have transformed the MSCSP into another MSCSP. Wc can use 
this transformed MSCSP to attack the protocol in [2], e.g. we may use the 
transformed MSCSP as part of another algorithm that solves the MSCSP such 
as a length attack, such a length attack is as follows. 

1. Select a length function I. A \s set to the identity element. Set the 
iteration n to zero. Computes a large part or all of the centraliser D. 

2. While (Criteria=True) 
{ 

Select elements s„ e B. 
Compute 

CEk = CEk{dk,yi) = yidyi'^ = gxidkx'^'^ g~'^ . 
for some 1 < fc < / for some /, dk G D. 

r{CE,,..., CEi,s^) ^ r{CE,,..., CEj, e) 

where :^ is a linear ordering (or an objective function) on a vector of real numbers 
[11] and each element of the tuple {CEi, CEj, s„) except the last is given by 
the corresponding number l{s~^CEkSn)- 
}End While. 

3. Update the word A as 

An+l — A^Sn- 

The algorithm stops at this part when depending on r{r'-^, ...,r'^^, Sn) and the 
stopping criteria (there can be more than one stopping criteria) then goes to 
step 6. The algorithm stops with some probability p^. 

4. Update the element CEk using 

s-^CEkSn 

5. n = n + 1. Goto 2. 
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6. Output A. 

One choice at step 2 is to select s„ as choices from aU the generators of B, 
then choice for the Criteria at step 2 is to increase / using a chosen algorithm 
until it is decided peeling occurs for one of the N choices (we try all N choices) 
from B for s„: if peeling is still undecided then the algorithm can pick a gener- 
ator randomly or stops. We may include in step 2 the equations j/i to peel from 
in the above. 

7. Conclusion 

The above attacks needs to be investigated further, because large parts of 
the centraliser for an element can be computed (but in general it is difficult 
to compute all elements in the centraliser) and we think the attacks can be 
improved. Not considering a brute force algorithm (which is shown in [1] that 
the AAGL protocol is secure from a brute force algorithm) we have given the 
only deterministic algorithm to break the AAGL protocol. We have given an 
algorithms for the MSCSPv is and shown can be reduced to solving the MSCSP 
using an algorithm of exponential complexity. Further work is 

•To implement our deterministic attack or a variant of it for example, try 
randomised and/or genetic algorithms (for example these can be used to in- 
crease the probabilities p,Pi), evolutionary algorithms (e.g. differential evolu- 
tion) which lead to more probabilistic solutions (an attacker can try our attack 
even if it is in worst case of exponential complexity). 

• To minimize Oi possibly with additional heuristics in algorithm 4. 

• Try different length attacks apart from the basic length algorithm (which 
we have used) in the length-MSCSPv algorithms and to try different refine- 
ments for the above length algorithm these include randomised and/or genetic 
algorithms which lead to more probabilistic solutions. To test /implement the 
length-MSCSPv algorithms to give experimental results for its success for dif- 
ferent parameters. The length-MSCSPv algorithms we have given can be used 
as the basis of other length-MSCSPv algorithms. 

• As described in the attack given in section 5 it is sufficient to find one 
element that commutes with z to show the protocol is based on the MSCSP 
(and so the AAGL protocol would be no more secure than using another MSCSP 
based protocol such as the AAG protocol given in [2]) a natural question now 
arises which is. 

Given the example of the MSCSPv used in the AAGL protocol how easy 
or how hard is it to find an element s that commutes with z but s does not 
commute with all choices of Ui? 

this question needs further investigation. 
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Appendix 

In this appendix we another version algorithm 4 which is presented in the 
style of the paper [16]. Then we give an attack on the DSC (Dehornoy Shifted 
Conjugacy) protocol in [14]. This appendix follows the style of the LU paper 
[16]. 

A Probabilistic Algorithm for the Multiple Simultaneous 
Conjugacy Search Problem Variant 

We can define the length of the element x G -B„ to be the length of its 
Garside normal form, and we denote an arbitrary length function by l{x) or 
li{x). 
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Recall, wc refer the CSP as the MSCSP with u = 1 so an example of the 
CSP is denoted as {xi,yi). Informally we refer to xi as the "middle element" 
of yi. 

Recall, to break the scheme it is sufficient to find ^; or a solution that can be 
used in place of z, then once the common secret conjugate z is recovered with 
our attack ,the shared secret key can be computed with the linear algebraic 
attack given in [1] . Recall the security of the protocol is based on the MSCSPv. 
The security of the TTP algorithm is based on the MSCSPv with the elements 
{xi,X2,...,Xu) = {wi,...,Wj,vi,...,Vj), {yi,y2,...,yu) = {w[, ...,w'^,v[, ...,v'^) 
and u = 2j. We assume the attacker knows this instance of the MSCSPv 
in the Artin representation. 

In this appendix we give algorithms which are a probabilistic reduction from 
the MSCSPv to the MSCSP this includes another version of algorithm 4. 

At the end of the appendix we make suggestion for secure protocols param- 
eters. 

To summarize our work. 

A. We give an algorithm (another version of algorithm 4) to show the MSC- 
SPv can be probabilistically reduced to the MSCSP. 

B. We give a new algorithm to solve a hard problem (which is a generalisation 
of the SCSP) we refer to as the MSSDP. 

C. We give an algorithm for the MSSDPv; the MSSDPv generalises the 
MSCSPv and the MSSDP simultaneously. 

Definition- C is an algorithm that computes elements in the ccntralisers of 
given elements in factorial space and time complexity in a worst case. 

Proposition A 

For the MSCSPv with m = 1 if xi can be feasibly computed then z can be found 
by solving the CSP(a;i,yi). 

Proof 

Follows from the definitions of MSCSPv and CSP above. 
Proposition B 

Let Uj ^ Uj, for some 1 < i < 27 (i.e. the example of the MSCSPv used in the 
AAGL protocol) and z,k & Bn. Then for all i we have 

Zkz~'^ G CB^Ui) = CB„{zUiZ~'^) 

where Cb„(u-) denotes the centraliser of u'^ in B„. 

Proof 

Obvious. □ 

1 On n-Centraliser Attacks 
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Now it follows from the above propositions A, B that the MSCSPv {{xi,X2, a;„), (2/1,2/2, Uu)) 
can be solved in two steps: 

(51) Find suitable element(s) c, c G CB„(Ui) for at least two values of such 
that M- = Vj and u- = w^, and c are of the form zkz~^ using algorithm C. The 
computation of the centraliser may be based on the super summit technique in 
[7]. We refer to this step as: a n— centraliser attack or a centraliser(s) attack. 

(52) Find using some algorithm: values ofk, k = Xi (for all i) in the MSCSPv 
then solve the corresponding MSCSP. 

The description of super summit sets is described in [7] so we omit the 
description of that part of (SI) here. But (SI) still requires some elaboration 
as follows. To be able to work with elements of Cb^ (u'j) efficiently we need to 
describe CB^i'^-'-i) some convenient way, for instance by a set of generators. 
Hence (SI) itself consists of two smaller steps: capturing (i.e. computing suitable 
approximations of the centraliser (s)) the union of various centraliser (s) we refer 
to as C", and finding the required element c S C" in the above union. We 
formalize the type of attack in (SI) as follows. 

Definition- An n— centraliser attack or a centraliser (s) attack is an attack 
where the computation of n centralisers is involved, then a set of elements 
from the above n centraliser (s) is found in connection to some conditions. The 
elements found above are used as part of the attack. E.g. we refer to step (SI) 
as a (2 + d)-centralisers attack where elements are found to build an MSCSP, 
otherwise if n = 1 we refer to step (SI) as a centraliser attack or a 1-centraliser 
attack. 

Our algorithm for the MSCSPv is a (2 + (i)-centraliser attack where 1 < d < 
7 — 1. A centraliser attack is given in [16] so our idea of centraliser (s) attack 
extends the idea of "a centraliser attack" in [16]. 

The only known algorithm [9] for computing a generating set for a centralizer 
reduces to the construction of super summit sets, the size of which is not known 
to be polynomially bounded, and which is usually hard in practice. Hence the 
approach of describing the whole generating set is not feasible but we will use a 
variation of this approach. Another approach to investigate is to find a feasibly 
computable subgroup as a generating set of when k is of polynomial length (and 
hence feasibly computable). By polynomial above we mean the degree of the 
polynomial is small enough for practical computations. We summarize the ideas 
of this appendix into a heuristic probabilistic algorithm 1.1 below. 

Informally, the algorithm below works because of the following: 

i) If ga is small enough then the "middle elements, 'the Xj's' " in the MSCSPv 
can be found by guessing; the "middle element" is known in the MSCSP; hence 
we can reduce MSCSPv to the MSCSP if the above guess is correct. 

ii) ga is suggested to be small in the AAGL protocol because a is unknown 
and AAGL is for a lightweight platform. 

iii) The structure of the TTP algorithm in the AAGL protocol implies that 
we can get ga = 1 for a suitable choice of the algorithm C, and if we select 



23 



two values of u[ such that u'^ = Vj and w'f, this imphcs wc can incfScicntly 
deterministically reduce the MSCSPv to the MSCSP. This is because BL, BR 
do not have any generators in common and so the middle element must be 
correct for one of the two above choices of u'^. 

iv) We can use some type of search, such as a heuristic search, to find the 
"middle element" more efficiently. 

v) Wc can test that wc have found the correct "middle clement" by using the 
property of the efficiently computable braid invariant A, which is an invariant 
in conjugation, i.e. A(a;i) = A(t/i) in the CSP, we can get enough information 
of the "middle clement" easily without solving the triple decompostion problem 
to get the "middle element" . 

The text in italics at each step in the probabilistic algorithm is a suggestion 
for an example of that step. The algorithm is for a general example of the 
MSCSPv but suggestion are made specifically for the AAGL protocol in our 
algorithm. Step A implements (SI). Step B implements (S2). 

Algorithm 1.1 - Probabilistic algorithm for MSCSPv 

INPUT: An example ofthe MSCSPv (2/1,2/2, —,yu) in {{xi,X2, —,Xu), (j/1,2/2, •• 
and the value of u called t. 

OUTPUT: A solution g' for the MSCSPv. 
COMPUTATION: 

A. Set S = M = C = A = 0. Using an chosen algorithm C compute 
C" C CB^iu'i) for some values of i, i.e. C = U\/iCB^{u'j). It follows the C" may 
contain elements of the form F = zkz~^. Hence for choices of k includes all 

elements in BR or BL depending if u'^ = v[ or u'^ = vj[. 
There are two choices we suggest for this step: 

First choice; compute the centraliser as a generating set using the algorithm 
in [9]. Then select random products of the generators to give a word r. An 
option for this choice is using a suitable length function h we would expect if r 
is conjugated by z 

hiru'^ < li{r) + li{u'i) and hiu'^r) < li{r) + li{u'i) 

The above idea is based on the Hamming distance between words: i.e. if r and 
Ui are both conjugated by the same element then we would expect both the 
above inequalities to be true. 

Second choice; Use the subalgorithm for this step described below. 

B Repeat steps Bi, Bii, Biii until a solution is found. 

We construct the pair {a,zaz~^) = {a,b), find a as follows, and zaz~^ G C 
as follows. 

Bi. Select b G C'\M and add 6 to M if 6 is selected. If all possible values 

for b have been used (i.e. M ~ C) goto step A. Using a chosen algorithm we 
find b in the pair (a, b) as follows. A choice at this step is that because anyone 
knows the length g^ in Artin generators of z [1] and we assume the length in 
Artin generators of a is less a feasible bound ga, hence we do a type of search 
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(e.g. linear search or random search) using an algorithm that uses hib), gz, Qa 
e.g. an algorithm that uses the heuristic 

h{b) < 2g^+g,. 

Bii. Construct using a chosen algorithm, the set A which is the set of possible 
values for a. Then using a chosen algorithm we find a € A. If the relation 6 ~ a 
is true then add the pair (a, b) to S, because this means a is conjugate to b. M 
represents worked out elements for b. S represents worked out elements that 
are used in an MSCSP. A choice at this step is that we can try out all possible 
values of a up to length ga (using a chosen length function) this includes easy 
to guess choices which exist (follows from, the TTP algorithm.) for a which are 
single Artin generators. We then use the practical algorithm for the CDP in [6] 
to test the relation b ^ a 

X{b) ~ A(a) 

where X is a braid invariant. 

iii. Repeat steps i and ii until the desired value of w = < is reached in the 
MSCSP. (If the desired value of t not reached then at i goes step A). Otherwise 
goto step C. 

C. Solve the MSCSP for all the pairs (a, 6) using an algorithm that works 
with high probability: if solution has been found terminate algorithm, if the 

solution of the MSCSP has not been found goto step A. 

Algorithm 1.2-Second choice for Subalgorithm in Step A of algorithm 1.1 

Here we can use a optimization method (e.g. simulated annealing) by con- 
sidering the (j/i, ?/2, J/m) as input to the optimization method and minimising 
the length (using a chosen length function) of a in the CSP pair (a, b). For ex- 
ample the simplest choice here is the following simple optimization algorithm. 
The idea of this subalgorithm is words formed from words in the generators 
(j/i,y2, ■■nVu) are in C", and such word(s) may have a small length in a. The 
subalgorithm can be used at least twice depending on if u- = v- or u- = w^. 

1. Initialisation step. Choose a suitable length function I. Set fitness = 
vtAnAii k, i<k<ul{yk)- Set Solution = l{yk) with yk such that it has minimal 
fitness (i.e. it is a solution). 

2. Select random subsets of the MSCSPv (j/1,2/2, •••,2/u) tuple, the simplest 
choice at this step is to select random j/j, yj for two random i and j. 

3. The objective function should grow smaller as a is smaller. Then the 
simplest choice is using 

Objective function = l{yf^y^^). 

Then if l{yt^yf^) < fitness we add the element yf^yf^ to C if yf^yf^ ^ C 
Where I is a length function. 

4. Repeat steps 2 and 3 until the desired until the desired size of |C"| is 
reached. If the desired size is not reached then proceed to the next step in the 
main algorithm. 
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Proposition 1.1 

Let Ai , A2, uj, ci,C2 G 3?. Solving the MSCSPv can be done with the probabilistic 
algorithm 1.1, in approximately, time complexity 0{\X SS{u'^)\^^Lv"■) and space 
complexity 0(cia;" + C2\XSS{u'i)\^^). 

Proposition 1.2 

Let Ai, A2,a;,ci,C2 G SR. This proposition improves the complexity bound of 
proposition 1.1: with additional reasonable assumptions it can be improved 
to time complexity 0{\X SS{u'i)\^^n^+'') and space complexity 0{\X SS{u'i)\^^) 
using algorithms to solve the MSCSP, CDP efficiently, where the element u'^ is 
part of the TTP's public key, XSS is a summit type set and the constant w 
depends on n. 

Proof for Proposition 1.1 

We assume that algorithm 1.1 is successful this means it gives the correct 
output and in particular at step Biii the value of t = m is reached and that 
a linear search is used at Bi. We do the complexity analyses by following the 
algorithm 1 through a successful execution. 

Step A. The complexity at step A is determined by the algorithm C" which 
computes elements in the centraliser. It is assumed that C" has factorial space 
and time complexity: this assumption is based on the fact that such algorithms 
exists e.g. when XSS = SSS, or XSS — SS see [9], [8] ; precisely we mean C" 
has space and time complexity proportional to \XSS{u^)\. Recall, generically 
an element of C contains elements of the form F = zaz~^\ this is an important 
thing to observe. 

Step Bi. Since we are trying to construct an MSCSP in t equations it follows 
we have to do step Bi at least t times (i.e. at step Biii we repeat t times). In 
the worst case wc would have to try out all (i.e. using the linear search) of the 
elements of C (stored in the above step) which is of size 0{\XSS{u^)\^^). 

Step Bii. Recall we are trying to find a in F. We analyse the simplest 
method which is simply to randomly guess a in its Artin generators. This gives 
the following straightforward computations. 

• Prom the TTP algorithm it follows a randomly chosen generator has prob- 
ability Pa = ^^32 ^"^^ ~ being in BL and BR respectively. Hence 
an attacker can selects a random word a from A using in length of Qa Artin 
generators then it has Pa,p,g„, = ^ + ^ probability of being in BL or BR; 

the above is true because we selected above values of such that m- = vj and 
w[.. From step Bi wc compute a subset of C" (with words less than a certain 
bound) we do not have to pick ga too large because as noted above there exist 
some a of short length in Artin generators. 

• Observe the attacker must on average compute 

1 (n — 2)^° 

before expecting W words to be found in for a in (a, zaz~^) € {A, Cb^(w-)). 
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Choosing ga l£ n keeps the algorithm in factorial complexity but this is not 
a good choice, from the above discussion the attacker can take ga = QC iog^Tt) )' 

in particular from Wp~^^ n < 0(n*^' ^)) = 0(e") = (for some 

w e 5R), means this part is exponential. 

• It follows the attacker needs to estimate Pa^Pp- The attacker may estimate 
Pa,Pi3 if the attacker assumes la, r^, n are not independent of each other, 
for example /« « rfj and assumes for example, all nearly all possible Artin 
generators are used in BL^ BR : so Pa ~ pp- Note if all possible Artin generators 
are used then Pa,i3,i = 1: for the selection of a (the single Artin generator). 
Hence (independent of large enough n and when la ~ rp), the attacker needs to 
compute approximately as few as 2^'" distinct words for the parameters suggested 
in [1] to ensure on average a reduction to the MSCSP with at least 2 equations. 
So we would need to select only approximately 4 distinct random words of 
length 3 from the set of possibilities of fc, before the attacker expects to get 
one conjugacy equation or the CSP, the example above use little memory and 
potentially little computing power. 

At the next part in step Bii we use an efficient algorithm for the CDP such 
as the one given in [6] , use a linear search, and use an algorithm for the MSCSP 
that works with high probability. It is expected from Bi the length of b is less 
than Ui, this means in general 0{\SSS{ui)\) is greater than 0{\SSS{b)\). 

Step Biii. Steps Bi to Bii are repeated t times hence the complexity in the 
steps is has a factor of t. 

We can now evaluate the total complexity of the algorithm. 

Notation-The notation Ag and means the space complexity and time 
complexity respectively for an arbitrary algorithm labelled A. 

The time complexity is in the worst case is 

0{CBM)t + CDPt ■ ICsJwOI • a;" + MSCSPt) 
hence an upper bound is 0{\XSS{u'f.)\'^''ijj'^). 

The explanation is as follows. The term C_b„ {u'i)t used in step A is between 2 and 
2 + d times or a constant number of times, and this implies the corresponding 
constant in the complexity term can be ignored. The term MSCSPt is the 
complexity at the last step and has order less than \XSS{u'i,)\^^ . The term 
CDPt ■ |C'b„(m^)| • tj" is the complexity at step Bii: at step Biii means step 
Bii is repeated times for each possible value of a in conjunction with each 
possible value for b; there are Cb„(w-)s values for b. Here the constant CDPt 
is the average time taken to solve the CDP over all pairs (a, &). In the worst 
case space complexity at this sub step is 0{t\X SS{u^)\'^^). Clearly the term 
CDPt ■ |Cs„ (uQI -w" dominates the complexity. Because the CDP is done using 
an efficient probabilistic algorithm such as [6] and t < u)'^ the time complexity 
follows. 
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The worst space complexity is 



0(|Cb„(u')| + \A\ + max max C£>Ps (a, b) + MSCSP,) 

hence an upper bound is 0{ci\XSS{u'k)\^' + C2Lj''). 

The explanation is as follows. The terms \CBn{u'i)\, MSCSPg both have com- 
plexity equal or less than to 0{ci\XSS{u'iS)\^^) (so wc have combined both 
complexities into one term). \A\ is of size 020;". max^gA maxfcgc" C'DPg{a,b) is 
negligible as the practical algorithm [6] stores only two elements. □. 
Now we are in a position to prove proposition 1.2. 

Proof for Proposition 1.2 

The above analysis may not be optimal, for example if we make some rea- 
sonable assumptions then we get a better bound on the complexities as follows. 
For this case it the average complexities (instead of worst case) for algorithm 
for the CDP,CSP and MSCSP are considered. 

The reasonable assumptions we are as follows. 

• From [1] we assume laj^j^ are linear in n and the attacker selects ga = 
0(log(n)). 

• We assume we have an efficient algorithm for the CDP which has average 
linear complexity possibly the one given in [5], this assumption is based on 
the result that empirically for randomly chosen long random braids which have 
simple elements randomly chosen, the |i75'S'| is on average likely to be linear 
in the supremum and independent of the braid index n e.g. see [5]. Hence the 
CDP/CSP in this average case can be solved in linear space and time complexity; 

• use an algorithm for the MSCSP that works with high probability such as 
the one in [5]. 

It follows (using the; assumptions) the dominant term in the time complexity for this term 
is the dominant term for the time complexity in the related proposition 1.1 with 
the term 6'^('°s") replacing w". The time complexity in this better case can be 
with high probability be (recall computing C that in proportional in space an 
time complexity to |XS'S'|) 

0(ci|X55«)|^il3°('°*5n)o(„)) = 0{\XSS{u'i)\^'n^+') 

for some 6e which depends on equation a. The factor 0{n) is for the com- 
plexity for the CDP algorithm. 

It follows (using the assumptions) the dominant term in the space complexity for this term 
is related to the space complexity in the related case above proposition 1.2. The 
space complexity is 

0(ci|X55«)|^=^ +fi°('°*5") + \CbM\) 
« 0{ci\XSS{u'i)\^' +C2n') « Oi\XSS{u[)\^'). 

Using straightforward algebra it can be shown e can be close to a constant as n 
becomes larger and depends on fi and the constants in O(logn), if 13 is bounded 
then e is bounded. 
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Note the space can be up to exponential size (so giving a better space bound 
here), the only requirement for the algorithm to successfully terminate, is the 
set C must be non-empty than one as it must contain at least one element with 
some feasible computable k. 

The above shows using the AAGL protocol can potentially be as secure as 
using CSP based protocols such as the AAG protocol [2] as both can be broken 
with attacks of the same or similar complexity depending on the values Ai, A2 
and e, by similar we mean our instantiations of our attack can differ by a factor 
that is polynomial of the bitlength attack input (i.e. similar) from attacks such 
as on the AAG protocol, for example the time complexities of attack differ by 
a factor of in}^'^ compared to the SSS attack. 

We can try a variant of the above algorithm, which is not use an algorithm 
for the CDP in step Bii but instead solves the CSP with the guess for h with 
every possible element in C" and recovers z, and hence the shared secret using 
the linear algebraic attack given in [1] , the attacker may test if z is the correct 
solution: for example by computing if z~^u^z ^ u^. 

Another variant we can try is: because it may be that b € C (which may 
be verified using a polynomial time word algorithm in B„), in this case z must 
be in the centraliser of b, call the set of all such stored b as b^, and so z can be 
found by testing every element of the centraliser of a subset of b^ for the correct 
element. □ 

Observe if the attacker assumes his guess of the generators of BL, BR are 
correct (or manages know these subgroups in a different way) the attacker can 
compute randomly chosen words computable in polynomial time in BL,BR, 
and in up to factorial time (in approximately the time taken to solve the CDP) 
find a system of conjugacy equation / reduce the security of the AAGL protocol 
to the MSCSP, so this is another reason why the users should keep the subgroups 
BL,BB secret. For the modification to the AAGL which is using general BR 
and BL the algorithm, then our attack has to be modified to use the publicly 
known information about the structures of BL and BR. 

We see to increase the probability of for our attack on the AAGL protocol 
above to succeed we have to compute a "something like a geodesic of m-". A 
geodesic of a braid is a braid word of minimum length in the Artin generators 
representing a given braid. It is known that computing the geodesic of a braid 
is an NP-complete problem. However the version of the geodesic problem the 
AAGL protocol is based upon is to find a word equivalent to zaz~^ such that 
it is short enough for a to be feasible computed. WLOG assume za € B^ , the 
above problem is (easily) equivalent to replacing zaz~^ by zaz* where z* = 
_j,-i^sup(z)^ so it is sufficient to find a geodesic like element of zaz* in B+. Even 
though computing a geodesic is NP-complete there are two reasons why the 
above problem may still be easy: the first is the problem is a version of the 
geodesic problem and not the exact geodesic problem; the second is there are 
many NP-complete problems have polynomial time average case solutions, e.g. 
observe it is easy compute a geodesic of a permutations braid hints that there 
is such a solution of the above problem. 
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2 A Centralisers Attack on the Multiple Simultaneous Shifted Decomposition Problem -MSSDP 
Recall the shift operator in Boo for the word w = al\..al^ as the word 

This operator induces a monomorphism on the infinite braid group. Recall the 
braid a * 6 is 

a * 6 = a • • a\ ■ d{a^^), 

and the operator * is the shifted conjugacy operator. Recall the SCSP (shifted 
conjugacy search problem) is defined as the following hard problem. For braids 
x,y,c G -Boo find a braid x G such that y = x * c : where c, y are publicly 
known and x is secret. 

We now generalise the SCSP in a straight forward way to a hard decompo- 
sition type problem called the SDP. 

Deflnition. The SDP (shifted decomposition problem), for braids w, x,y,c € 
Boo find braids w,x & B^ such that y = w d{c) • cti • d{x) where c, y are publicly 
known and w, x are secret. The SDP is a generalisation because with x = 
we recover the SCSP. 

Notation. We use the notation w * c* x — y ioi the SDP. 

Deflnition. The MSSDP (muftiple simultaneous SDP), is a set of SDP 
equations, as follows. Let n > 1 be a fixed integer. For braids w,x,yi,Ci € B^o, 
1 < i < n find braids iu,x £ Boo such that yi = 'wd{ci)aid{x) where Ci,y are 
publicly known and w, x are secret. 

There are no efficient solutions for solving the MSSDP, one reason for is this 
would mean the SCSP would be easy. We propose a solution for MSSDP. 

Consider n = 4 in the MSSDP and ci ^ C2, C3 ^ C4, this is the system of 
equations 

t/i = wd{ci)aid{x), y2 = wd{c2)(Tid(x) (b) 
2/3 = wd{c3)a\d{x) and y^ = wd(ci)(Jid{x). 

Wc now use the idea CE (conjugacy extractor) [13] used to transform the 
MSSDP into a shifted MSCSP type problem very efficiently: the transformation 
is achieved using CE functions, the concept of CE functions were first introduced 
in our paper [13]. A CE ftmction is defined as follows, definition A CE func- 
tion uses input from public information in a hard problem and transforms the 
hard problem into a an example of the CSP. First we give the mathematical 
background then we give our centralisers attack. 

On an algorithm For the MSSDP 

Define the CE function for one SDP in b as 

CE{yi , ^2) = t/r^2/2 = d~'^{x)a^'^d~'^{c-i)d{c2)crid{x) (c) 

which is equivalent to solving the CSP with (a^^d~^{c{)w~^wd{c2)<Ji-,CE{yi, 2/2)) 
with solution d{x). 
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For n G N define the braids 

= CTn-l-'O'l- 

Then for i = 1, n — 1 

6~liai6n+i =B„+i fi+i = d{ai). (d) 

Proposition 2.1 

Let x,CE{yi,y2),(7i^d^^{ci)d{c2)(Ji £ _B„. Then d{x) satisfies equation c 
for the CSP {a^^d~^{ci)d{c2)ai, C'E{yi,y2)) if and only if it satisfies the CSP 
{Sn+i(T^^d-^{ci)d{c2)cTi5~li,Sn+iCE{yi,y2)6~li) i.e. 

dn+iCE{yi,y2)6:^li = x5n+i<Ji^d~^{ci)d{c2)(7i5:^l^x~'^. (e) 

Proof 

Follows from d. 
Proposition 2.2 

let x,CE{yi,y2),(Ji^d~^{ci)d{c2)cri € Bn be braids satisfying equation c 
and let x[ G Bn+i- Then 

6n+iCE{yi,y2)S~l^ = x[Sn+icri^d^^{ci)d{c2)criS~lj^x[~^ ^ 
x'^^x e CB„+i((5„+ia]"M"^(ci)d(c2)cTi(5;;;+i) 

where Cb^_^i is a centraliser in 
Proof 

The proof for the similar proposition in [16] is "obvious" and so is the proof 
for this proposition. 

Now consider the equation 

CE{y^,y^) = y^'y^ = d-\x)a^H-\c3)d{ci)aid{x) (f) 

We can now easily derive two very similar propositions to 2.1, 2.2 where we 
use j/3,2/4 in place of y 1,2/2 respectively. To be precise and to be complete the 
propositions are 2.3 and 2.4. 

Proposition 2.3 

Let x, CE{ys,y4). a^^d^^{cs)d{c4)ai G Bn. Then d{x) satisfies the equation 
f for the CSP {a^^d-'^(cs)d{c::i)ai,CE{y3, y^)) if and only if it satisfies the CSP 
{5n+i(7i'^d~'^{c'i)d{ci)ai5:;^l^,5n+iCE{yi,y 4)8:^1^) i.e. 

6n+iCE{yri,y4)5nXi = x~'^6n+i(Ti^d~^{cz)d{c4)(Ti6~\-^x. (g) 
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Proposition 2.4 

Let x,CE{y3,y4),ai^d~^{c3)d{c4)ai G -B„. be braids satisfying f and let 
X2 G Bn+i. Then 

Sn+iCE{ys,y4)S~li = x'2Sn+i(Ji^d~^{c3)d{c4)ai6~l^x'2~'^ ^ 

x'^^X e CB„+i(<5„+if7]"^d~^(c3)d(c4)cri(5~+i) 

We now describe a 2-centralisers attack on the MSSDP that recovers x. Once 
X is recovered we attempt to find w by computing yi{d{ci)a\d(x))~^ =■ w. 

Now it follows from the above four propositions the MSSDP can be solved 
using the following steps. 

(51) . Find the solution x'i,X2 € Bn+i 

dn+iCE{yi,y2)S~l^ = x[6n+ia-^^d~'^{ci)d{c2)aiS:^lix[^^ (h) 
Sn+iCE{y3,y4,)S~l-i^ = X25n+i(T^^d~^{c3)d{c4:)aiS~l-i^X2~^ (i) 

this can be done using and XSS based algorithm e.g. using the USS technique 
of [5]. 

(52) . "Correct" the elements x[,X2 G -Bn+i to obtain a solution to get 
s G Bn for the MSCSP in c and f i.e. find elements Ci , C2 such that 

Ci,C2 G CBn+i{Sn+l(^T^d~'^{ci)d{C2)cTiS~li)[jCB„+i{Sn+l(^l^d~^{C3)d{C4)(7iS~li) 

to obtain a solution 

t = x[Ci = X'2C2 G B„. (j) 

In j we are using the fact that we are solving an MSCSP c, f and attempting 
to recover the same value x (i.e. x = t here) in that MSCSP. This step is a 
2-centralisers attack. 

We now derive a feasibly computable subgroup of Cb^^+i {5n+\<^i^ d~^ {ci)d{c'2)(J-\_5~^{) 
the derivation for C B^^i{5n+i(^i^ d~^ {c3)d{c4)ai5~]^i) is similar. 
For ci , C2 G Bn define the braids 

di = A^_^i,d2 = an-02d~'^{ci)d{c2)(T2^ ...a~^ ,d3 = c7i...fT^(7„_i...c7i 

and 

d4 = d-^^ , d^ = d2^ 1 dfj = d^^ . 

Proposition 2.5 

There is a similar proposition in [16]. Letci,C2 G i?„ and C = CBn^i{^n+i'^i^'i~^{c3)d{c4)ai5~^-^). 
The following i) and ii) holds. 

i) di,d2,d3 G C. 

ii) C = {di,d2,d3) is an abelian subgroup of Bn+i and hence of polynomial 
growth. 

Proof 
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Observe in 

£7„...Cr2d~^(ci)rf(C2)a-^^..(T~^ = dn+l(Ti^d~'^{ci)d{C2)(Ti6~li 

so d2 e C. We know from [16] for arbitrary pi G B„ that elements of the 
form d{pi)a2^ ■■■(T^^ commute with ^3, hence ds commutes with d2, as d2 is of 
the form d2 = {d{pi)a2^ ■■■cr~^)~^d{p2)cr2^ ■■■cr~^ . di is in the center hence the 
subgroup C is abeUan.D 

Straight forward variations of our attack are possible. One is could be as 
follows. Let e. solve an MSCSP at (SI) and the correct this solution 

using C\,C2 and we may recover the actual value of r from one of the correct 
solutions. 

Our ideas can be summarised into the following algorithm. 
Algorithm 2.1 - Heuristic Algorithm for solving the MSSDP. 
INPUT: The example of the MSSDP given by the equations c 

yi = wd{ci)(7id{x), 1/2 = wd{c2)c7id{x) 
t/3 = wd{c3)(Tid{x) and 2/4 — wd{c4,)aid{x); 

an objective function / such that / = when a solution to the MSSDP is found. 
OUTPUT: A solution of the MSSDP. 
COMPUTATION: 

A. Compute 

CE{yi,y2) = t/r^2 = d-^{x)a:[^d-\ci)d{c2)aid{x) (k) 

which is the CSP with {cr^^d~^{ci)w~^wd{c2)cri, CE[yx,y2)) with solution d{x) 

CE{ys,yi) = y^^yi = d~^{x)ai^d~^{c3)d{c4)aid{x) (1) 

Note we have transformed the MSSDP into an MSCSP involving the shift op- 
erator because equations k and 1 are an MSCSP in d{x). 

B. Using an XSS algorithm e.g. the USS technique compute the solutions 

S[,S2 G Bn+1 

Sn+iCEiyi,y2)S~l-^ = s[Sn+icr~^d^^ {ci)d{c2)(JiS~l^s'-i~'^ 
Sn+iCE(y3,y4)6;^l^ = s'2Sn+i(Ji'^d^'^{c3)d{c4)(JiS;^lis'2~^ . 

C. Put S = {s[,s'2, /dyf' • iivi ■ d{s[-') ■ a^' ■ d{c^')) * ci * s'i)|a„+,, I2/2"' ' 
((2/2 • d(4"') ■ • d{c2^)) * C2 * s'2)|a„+ J) = (s'l, 4, /) and M = 0. 

D. Until a solution is found. 

1. Choose a tuple (t.uJt) from S with the smallest It- 

2. If / = then output t (here t = u) and 

w = • ((yi • d{s[-') ■ a^' ■ d{c^')). (m) 
Note if / = then by equations j and m we get the actual value of w. 
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3. Otherwise for each i = 1, K and j = 1, L, for some natural numbers 
K and L. 

(i) Compute U = t ■ Ci,Uj = u ■ Cj and / 

(ii) . If {ti, Uj, f) belongs neither to 5* nor to M then to add it into S. 

4. Remove the current pair (t, u, /) from S and add it to M. 

3 An Algorithm for the Multiple Simultaneous Shifted Decomposition Problem Variant MSSDPv 

Definition. The MSSDPv (multiple simultaneous SDP variant) is as fol- 
lows. Let n > 1 be a fixed integer. For braids w, x, yi, Ci e .Boo '^ < i < n find 
braids w,x G Boa such that yi = wd{ci)aid{x) where yi are publicly known and 
w,x,Ci are secret. 

Clearly the MSSDPv generalises the MSCSPv. The generalisation of the 
MSSDPv for the MSSDP is similar to the generalisation of the MSCSPv for the 
MSCSP. 

There are no efficient solutions for solving the MSSDPv one reason for this is 
it woidd mean the SCSP would be easy. In this appendix we propose a solution 
for the MSSDPv. 

Consider when n = 4 in the MSSDPv and c\ ^ Ci, c-^ ^ C4 and consider 
when n = 4 in the MSSDP and 01^02,0^^04,, this is the system of equations 

yi = wd{oi)aid{x), y2 = wd{o2)aid{x) (n) 
j/3 = wd{o3)aid{x) and 2/4 = wd{o4)aid{x) 

Again using CE functions we transform the MSSDPv into a shifted MSCSPv 
type problem very efficiently. 

As the MSSDPv generalises the MSCSPv we can use our algorithm for the 
MSSDPv to attack the AAGL protocol in [1]. 

Algorithm 3.1- llomistic iVlgoritlnn for Soh iug llie MSSDPv 

INPUT: The example of the MSSDPv which are equations n above. 
OUTPUT: A solution of the MSSDPv. 
COMPUTATION: 
A. First we compute 

CE{yi,y2) = yi^y2 = d~^{x)a^^d^^{ci)d{c2)aid{x) (o) 

which is the CSP with {ai^d~^{ci)w~^wd{c2)(Ji,CE{yi,y2)) with solution 
d{x) 

CE{ys,yi) = y^^yi = d~'^{x)(7^'^d~^{o3)d{ci)aid(x). (p) 

Note we have transformed the MSSDPv into the MSCSPv involving the shift 
operator. We observe equations o and p are an MSCSPv in d{x),ai'^d^^{ci)d{c2)(Ji, 
ijj"^d~^(c3)d(c4)(Ti and so we then use algorithm 1.1 to recover the "middle el- 
ements" (7^^ d~^ {ci)d{c2)(Ji and d~^ {c:>,)d{c4)(Ti: if the "middle elements" 
have not been recovered then the algorithm has failed and stops here. Otherwise 
if the algorithm 1.1 fails to find d{x) and hence x we goto step B to attempt to 
find a; in a different way. 
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B. Use the algorithm 2.1 to solve the MSSDP to attempt to find x. 

C. If a; has not been found the algorithm has failed otherwise the algorithm 
is successful. 

4 Attack ou Dclioriioy's Sliiltcd Coiijugacy Protocol 

We can apply our algorithm for the MSSDP to attack the shifted CSP based 
protocol [14] in the following specific scenario. We refer the reader to [14] for 
details of the DSC protocol. 

Alice's authenticates to Bob using r as described in [14]. Then Bob reuses 
Alice's r as his random value in the commitment with another user (may be not 
Alice) because he assumes it is safe to do so. Following the notation in [14] of the 
DSC protocol we can attack that protocol: by letting in the MSSDP x = iu~^ 
, w = r, ci = xa,C2 = a;^,C3 = xb,C4 = x'^; recall from [14] that Alice's 
commitment {xa,x'a) = {r *p,r *p') and {p,p') are publicly known; similarly 
the notation {xb,x'b) refers to Bob commitment. Then when we have found 
a value for r using our algorithm for the MSSDP we would expect (because of 
equation j) this value to be the actual value of r used in the protocol instead of 
a different value satisfying the two equation MSCSP in r. Then when we have 
this correct value of r we can recover Alice's or Bob's secret key as follows. r*s 
is publicly known, the attacker waits for b — I then computes 

■ {r * s) ■ dr ■ crf^ = ds, 

noting we can invert the shift operator on ds we recover s hence breaking the 
scheme. 

5 Comparison of Our Attack with the Longrigg-Ushakov Attack 

We summarize the differences between our new attack and the LU attack in 
[16]. 

i) The LU attack is based on solving the CSP. Our attack is based on the 
MSCSP. 

ii) The LU attack finds Alice's secret key s or an equivalent key for s in a 
different way compared to our attack. Our attack, when it is used to attack 
the DSC protocol, finds the random braid r in the commitment (and not a 
equivalent value for r) then using this value of r we recover s. 

iii) The LU attack is for a general scenario. Our attack is for a more specific 
scenario which implies an MSCSP in r. 

iv) Our simple variation of our attack described above is based on solving 
the MSCSP at (SI) and the similar step in the LU attack is based on CSP. 
Because the CSP is known to be harder than the MSCSP, hence our attack will 
succeed in recovering s when the LU attack fails in some scenarios. 

v) The LU attack cannot be used to solve the MSSDP but the LU attack can 
be used to solve the SCSP. Our attack solves the MSSDP but does not solve the 
version of the SCSP used in the DSC protocol because the CE function does 
not exist for s. 
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vi) The LU attack only solves one equation which is the SCSP. Our attack 
can be extended in a straightforward way to solve the MSSDPv, MSSDP for any 
n: to derive the attack for a system of n equations is similar to the examples for 

n = 4 given above. Wc now give suggestions for selecting secure parameters. 
To defend against the attacks for the AAGL attack wc suggest the following. 

i) Ensure if possible that elements of the centraliser of m ■ are hard with the 
CSP ik,zkz-'^). 

ii) Ensure that elements of the centraliser of the form zkz~^ of u'^ cannot be 
feasibly computed. 

iii) The TTP algorithm may be modified with different choices of BL, BR 
so that larger generators are used with the constraint of using RFID tags. 

To defend against attack for the DSC scheme we suggest the following. 

i) The example of the MSSDP in the Dehornoy scheme is hard. 

ii) Choose the centraliser C is large. 
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